In the master configuration the provider is instantiated through a Buildbot service secret manager with the file directory path.
File secrets provider reads the file named by the key wanted by Buildbot and returns the contained text value (removing trailing newlines if present).
SecretInAFile provider allows Buildbot to read secrets in the secret directory.

In the master configuration, the provider is instantiated through a Buildbot service secret manager with the Vault token and the Vault server address.
Vault secrets provider accesses the Vault backend asking the key wanted by Buildbot and returns the contained text value.
SecretInVAult provider allows Buildbot to read secrets in the Vault.

Secrets don’t have to be visible to the normal user via logs and thus are transmitted directly to the workers.
Secrets are rendered and can arrive anywhere in the logs.
The function cleanupTextFromSecrets defined in the class Properties helps to replace the secret value by the key value.

print("the example value is:%s"%(cleantext))>>theexamplevalueis:<foo>

Secret is rendered and it is recorded in a dictionary, named _used_secrets, where the key is the secret value and the value the secret key.
Therefore anywhere logs are written having content with secrets, the secrets are replaced by the value from _used_secrets.

Service configurations are loaded during a Buildbot start or modified during a Buildbot restart.
Secrets are used like renderables in a service and are rendered during the configuration load.

classMyService(BuildbotService):secrets=['foo','other']

secrets is a list containing all the secret keys that can be used as class attributes.
When the service is loaded during the Buildbot reconfigService function, secrets are rendered and the values are updated.
Everywhere the variable with the secret name (foo or other in the example) is used, the class attribute value is replaced by the secret value.
This is similar to the “renderable” annotation, but will only works for BuildbotServices, and will only interpolate secrets.
Others renderables can still be held in the service as attributes, and rendered dynamically at a later time.